Comments on: D-Link adds captcha to routers

By: geniusthemaster

geniusthemaster — Sat, 21 Nov 2009 19:22:29 +0000

first off these hacks are trivial… pardon me while i blow your minds::
a:: you dont even need to log in if u know some trivial htm commands.
b:: the entire internet including the pentagon is vulnerable to command overload via xss
c:: xss isnt all that complicated its basically loading up other pages as script reference and using their commands as a form of library and or dll and or lib, not to mention some web pages have tools built right in such as advanced gps mac finder etc. and that leads to other types of hacks that are really too easy.. such as evil twin… nuking… ddos. theres more be sure of it ;)
final note.. currently there is a programmer who knows how to sniff any type password.. but hes not interested right now hes working on a yobi level compression system

By: nba

nba — Sat, 16 May 2009 02:25:49 +0000

@all
They messed up again, and gave admin access to everyone, no password needed since they exposed the md5 ash.
See http://www.theregister.co.uk/2009/05/15/dlink_router_gimmick/

By: niun

niun — Fri, 15 May 2009 20:06:25 +0000

@h.b.

you’ll only have to climb your stairs, to push the hardware button, the first time you want to set up the password. once the password is different from the default one, you can change it via the web interface or something else.

By: Wwhat

Wwhat — Fri, 15 May 2009 14:00:57 +0000

I think it will definitely stop lots of stuff, because any fool can make a script that puts in the default password, whereas making complex captcha cracking algorithms, especially in a small java script, is a whole hell of a lot harder.

By: amk

amk — Thu, 14 May 2009 08:08:56 +0000

so, now in addition to a default username/password list, malware will also require built in captcha cracking algorithms designed for specific router models.

it’s a speed bump. it might slow malware down a bit, but it’s definitely not going to stop anything.

how about a router that requires a user to actually configure it before it even thinks about DNS? i guess that might be inconvenient, and apparently convenience is more important that security.

By: scabby

scabby — Thu, 14 May 2009 02:32:55 +0000

@dirk: ‘i don’t lock my doors because people will just pick it’

i don’t think that’s it, really. here’s the scenario, in the guise of a terrible analogy: a majority of houses are unlocked and have no security. when you come to a house and there’s a ‘beware of dogs’ sign on the door, but no dogs barking, why wouldn’t you go in, especially if it’s not really ‘you’ going in, but rather some botnet zombie in malaysia doing the door opening. (sorry, my analogy totally flopped at the end.)

i too agree with all the folks here who think that simply forcing security onto the unwitting masses would be a boon. “we don’t trust you to keep your door locked, so here’s a spring loaded door that auto-locks. problem solved. (and while we’re at it, here’s some contraception so you don’t pass on your ‘can’t-read-the-setup-instructions’ gene.)”

By: shibathedog

shibathedog — Thu, 14 May 2009 02:24:00 +0000

Does anyone else find DLink bashing as stupid as I do? I’ve been seeing this a lot on other sites and I just wanted to see if anyone else felt the same way because the users here are typically a little more reasonable. I have a DIR-655 and a WRT54GS, I used to use DD-WRT on it for years and not long ago switched to Tomato. The DLink blows it away in every aspect. It can handle faster speeds (the WRT has trouble keeping up with my connection and effectively caps it), it can handle more connections without slowing down, it has more effective QOS, and the list goes on. I also had another DLink that performed better than the WRT, I forget the model number but it was called “Wireless N with Rangebooster” a pretty basic model. Now I don’t use the wireless at all except for when friends come over with laptops so maybe that has something to do with it, but I can always plug my WRT into the DLink to use as a wireless access point :D

By: Shadow

Shadow — Thu, 14 May 2009 00:22:51 +0000

Sorry but home users are retarded and will never change from default, because if they can connect to the internet ‘it works’ and when it works ‘leave it alone’. Is this really worth it? becuase people who actually buy WRT54G want them for only one reason and that is openWRT.

By: Wwhat

Wwhat — Wed, 13 May 2009 21:44:43 +0000

This is obviously a response to the recent events where trojans started to access router settings, to the embarrassment of router manufacturers, they had to make some move to show they care and do something surely.
UPNP already had it’s bad news moment and routers already only accept LAN UPNP now and my very old router has an option to limit UPNP to only give info and not let it change settings, or to allow limited settings or full, so they dealt with that issue already some time ago.
And they also presumably dealt with the now very old issue of UPNP not ever closing ports I’m assuming, those are issues of the past.

By: Ross Snider

Ross Snider — Wed, 13 May 2009 20:51:00 +0000

Everyone here arguing over whether CAPTCHA is secure has never heard of UPnP. How does your xBox port forward for xBox live?

Most information and settings on your router don’t need the HTTP interface to be accessed. In fact, most have several protocols (I’ve definitely seen telnet).

Hackaday, keep trying. You’ve jumped the shark several times but there might be hope yet.

By: Wwhat

Wwhat — Wed, 13 May 2009 16:48:09 +0000

The problem is that your password might be great but if it’s stored in your browser any old java or even vbscript can mess you up, so a captcha will prevent casual misuse by simple scripts on websites through standard browser/windows holes, which in turn might prevent lots of IE users from falling victim for starters.

By: steve

steve — Wed, 13 May 2009 14:29:04 +0000

@Dirk

There is a balance between security and usability. Moreover, your comparison with a physical lock is poor. Are there millions of automated drones constantly (and simultaneously, even) trying to pick your lock?

By: strider_mt2k

strider_mt2k — Wed, 13 May 2009 13:39:16 +0000

I’m usually among those who bitch when things get stupid, so let me also acknowledge the awesome dialog going on over this subject.

-and speaking of routers, is it just me or has that old linksys model become like a speak-n-spell where you have to really look to find one that hasn’t already been bent by someone?

I was just given an old Netgear router that gave me some encouragement because of it’s removable antennas, but I still have to look up the model to see if anything interesting is posible with it.

Regardless, great dialog here folks, kudos to the group.

By: H.B.

H.B. — Wed, 13 May 2009 12:54:06 +0000

@niun

A hardware buton is crap. My router is in the basement. My computer in the second floor. I don’t want to take the hole router up just to switch of the dyndns feature or change a Port Forwarding.

captchas are way to easy to find a workaraound nowadays, but they are a first step.

http Startup Page could be a solution

The best idea would be a unique password printed on the bottom of the router. Also configuration shpuld be disabled from Wlan which is still not the standard if you buy a router.

By: niun

niun — Wed, 13 May 2009 12:31:44 +0000

why not require the user to push a hardware button some seconds/minutes before the first login. if no button is pressed, nobody gets in.
If you have changed the password, there is no need to push the button anymore. If you forgot to change the password you have to push the button again before the next login. This would be the perfect turing test, because there will be no program that can press a hardware button in the near future.

but a random default password is also a nice solution.